GDPR Updates: Contract Changes

If you’re reading this, chances are you have questions about the GDPR and how OpenSRS is preparing. We’ve got answers! Sign up for our GDPR webinar on March 7 or March 8 to learn from one of our GDPR experts.

We’ve talked about two of these concepts in past blog posts, and today we’ll look at the third: Transparency.

Transparency is one of the core principles in the GDPR, emphasized in Article 5 of the policy, which states that personal data must be “processed lawfully, fairly and in a transparent manner in relation to the data subject,” and must be collected for “specified, explicit and legitimate purposes.” In short, the data subject has to be kept informed as to what data is being collected and how that data is being used.

One of the main ways that we inform our clients about how their data is being used is through our contracts, and we are now ready to share more information about the upcoming changes to our reseller and end-user service agreements, which are being made as part of our GDPR implementation efforts.

Before we dive into the specifics, I want to emphasize again how important it is to read the GDPR for yourself, and to engage legal counsel who is competent to support your business through the process of coming into compliance with the GDPR.

As we work in partnership with our clients to ensure that we accept, collect, process, and share personal data in a GDPR-compliant manner, there will be changes to our contracts, in the form of either a stand-alone Data Processing Agreement or an Addendum to the Reseller Agreement and Domain Registration Agreement.Regardless of whether we take the stand-alone-agreement or addendum route, there are a few things that you need to be aware of as a reseller.

Changes to Our Contracts with Registries

As a registrar, we have a Registry/Registrar Agreement in place with every registry with which we are accredited. We expect that many of these Agreements will be updated by the affected registries to be compliant with the GDPR. To this point, however, we’ve seen inconsistent approaches from the European ccTLD registries, and no GDPR-related contract updates from gTLD registries. We are working together with other industry groups to standardize a model for what these contractual changes will look like; without a standardized approach, we would have to negotiate individual amendments with each registry, a difficult undertaking to complete by May 25, 2018, given the number of registries with which we partner.

Working Toward an Industry-Standard Approach to Contracts

Given the changes we expect to see from registries, changes we expect registrars will make, and changes that we believe will be recommended by ICANN, we are hopeful that industry-standards will develop in the coming weeks which we can incorporate in our changes to our own agreements. These efforts are ongoing, but once a final decision about exact language has been made, we will update you. While we appreciate that uncertainty around these changes is difficult, we hope that an industry-standard amendment will make things easier for both our resellers and the industry as a whole. At the same time, we know that we can’t wait too long before sharing those changes with you. If the industry-wide amendment is not ready for distribution by the end of March, then in early April we will have our own contract changes out to our partners.

Changes to Our Contract with Reseller Partners

Our amendments to our reseller agreement will outline the obligations for both ourselves and our clients that are necessary to ensure that every user on our platform is fully protected in a way that aligns with the GDPR. We expect that contract changes will track certain standardized language that has been approved by the European Commission in years past, such as this European Commission decision, which provides some standardized contract language for data sharing.

Here are some of the changes that you can expect to see in our Master Services Agreement which governs the services we provide to resellers. These updated requirements will apply both to us and to our resellers:

Data Storage

All personal data must be stored securely and handled with appropriate protections

Any subcontractors who are allowed to access data also must have adequate security in place

Data Sharing

Any data sharing must be done in accordance with the GDPR

Data that is shared must be maintained securely by both the sending and the receiving parties

Any data exporter will be liable for damages suffered by the data subject for any violations of the GDPR

Disclosure

The data subject will be informed about the collection and sharing of their personal data in a GDPR-compliant manner

All contracted parties (including Tucows and the reseller partner) agree to work cooperatively with Data Protection Authorities if questions arise about the use and sharing of personal data

Changes to Our Contract with Registrants (End-Users)

Clear explanation of which data elements are required by contract — we require the registrant’s first and last name, organization name (if provided), email address, and country; Registry agreements may extend this contractual data set.

Confirmation that, if a third-party’s contact information is used as the domain’s administrative, billing, or technical contact, the registrant will have the appropriate contract and/or consent with that third-party to satisfy the GDPR’s requirements around data use

Moving forward

Rest assured, there will be no major surprises found in the changes to the Master Services Agreement or Domain Registration Agreement, provided your business is GDPR compliant. As always, we’re taking care of the heavy lifting to minimize the effort required on your end. We hope this allows you to remain focused on your day-to-day business and whatever internal changes you may need to make to come into compliance with the GDPR. Take a look at the European Commission’s standard contract text, and keep an eye out for our future updates. And don’t forget to sign up for our GDPR webinar, where we’ll share more details about exactly how this new regulation is affecting the OpenSRS domain service offering. Hope to see you there!